ETW_NOTIFICATION_HEADER

The ETW_NOTIFICATION_HEADER structure describes an
event notification for multiple cases of the NtTraceControl function.

Documentation Status

The ETW_NOTIFICATION_HEADER structure is not documented.
Microsoft has published a C-language definition in the NTETW.H header from the Enterprise
edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.

Were it not for this relatively recent and possibly unintended disclosure, much
would anyway be known from type information in symbol files. Curiously though, type
information for this structure has never appeared in any public symbol files for
the kernel or for the obvious low-level user-mode DLLs. In the whole of Microsoft’s
packages of public symbol files, relevant type information is unknown before Windows
8 and appears in symbol files only for appxdeploymentclient.dll, certenroll.dll
(before Windows 10) and windows.storage.applicationdata.dll.

Layout

The ETW_NOTIFICATION_HEADER is 0x48 bytes in both
32-bit and 64-bit Windows in versions 6.0 and higher. Whether it or something enough
like it exists in versions before 6.0, i.e., before NtTraceControl,
is left for another time. Offsets, types and names in the table below are from public
symbol files as described above. No difference is yet known for earlier versions.

Offset

Definition

0x00

ETW_NOTIFICATION_TYPE NotificationType;

0x04

ULONG NotificationSize;

0x08

ULONG Offset;

0x0C

BOOLEAN ReplyRequested;

0x10

ULONG Timeout;

0x14

union {
ULONG ReplyCount;
ULONG NotifyeeCount;
};

0x18

ULONGLONG Reserved2;

0x20

ULONG TargetPID;

0x24

ULONG SourcePID;

0x28

GUID DestinationGuid;

0x38

GUID SourceGuid;

This page was created on 27th November 2016 but was not published
until 31st December 2018.